Another day, another unsecured data storage system reveals millions of customer records. This time it's Verizon customers in the US who were at risk, and the exposure is due to a misconfigured cloud-based file repository owned by Nice Systems.
According to UpGuard, who discovered the unsecured data, up to 14 million Verizon customer details were available to download by anyone who could guess a web address. Verizon has since clarified it was 6 million.
UpGuard traced the data back to a Nice Systems engineer based in the company's Ra'anana, Israel headquarters. Nice Systems provides both back-office and call center operations systems for Verizon. The Nice engineer had setup an Amazon Web Service S3 data store which was then used to log Verizon customer call data. That data included names, addresses, phone numbers, and account PIN codes. Used together, they would give a scammer everything required to pose as a Verizon customer on a call.
According to ZDNet, the data is collected from customer calls and stored by Nice Systems so that it can be analyzed to help improve the customer service experience. The log files created contain the last six months of customer call data. But why was it unsecured, and why was it the responsibility of a single engineer at Nice?
What's also worrying beyond the lack of security is the slow response by Verizon to the threat. UpGuard informed Verizon of the security risk on June 13, but it wasn't fixed until June 22.
- Mayer Exits as Verizon Completes Yahoo Acquisition Mayer Exits as Verizon Completes Yahoo Acquisition
In a press release, Verizon responded to the data exposure discovery by stating, "We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information."
The release goes on to state that, "The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area."